Navigation

← Previous Changeset
Next Changeset →

Changeset 2237

Timestamp:

06/13/08 07:05:15 (4 months ago)

Author:

dsugar

Message:

property generate iptables rules based on direction of access (for local and remote ip information)

Files:

trunk/framework-plugin/src/com/tresys/framework/compiler/translator/NetworkSecmark.java (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/framework-plugin/src/com/tresys/framework/compiler/translator/NetworkSecmark.java

r2144	r2237
20	20	import com.tresys.framework.compiler.dictionary.Rdef;
21	21	import com.tresys.framework.compiler.dictionary.SysResourceState;
	22	import com.tresys.framework.compiler.dictionary.Verb;
22	23	import com.tresys.framework.compiler.policy.Ability;
23	24	import com.tresys.framework.compiler.policy.AccessBaseResource;
…	…
75	76	*/
76	77	public void Visit (Resource i_resource)
	78	{}
	79
	80	public void Visit (NetworkResource i_resource)
	81	{}
	82
	83	/* (non-Javadoc)
	84	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.Domain)
	85	*/
	86	public void Visit (Domain i_domain)
	87	{}
	88
	89	/* (non-Javadoc)
	90	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.Enter)
	91	*/
	92	public void Visit (Enter i_enter)
	93	{}
	94
	95	/* (non-Javadoc)
	96	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.EntrypointResource)
	97	*/
	98	public void Visit (EntrypointResource point)
	99	{}
	100
	101	/* (non-Javadoc)
	102	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessBoolean)
	103	*/
	104	public void Visit (AccessBoolean i_access)
	105	{}
	106
	107	/* (non-Javadoc)
	108	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessBaseResource)
	109	*/
	110	public void Visit (AccessBaseResource i_access)
	111	{}
	112
	113	/* (non-Javadoc)
	114	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessResource)
	115	*/
	116	public void Visit (AccessResource i_access)
	117	{}
	118
	119	/* (non-Javadoc)
	120	* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessNetwork)
	121	*/
	122	public void Visit (AccessNetwork i_access)
77	123	{
78		}
79
80		public void Visit (NetworkResource i_resource)
81		{
82		Map rdefs = i_resource.GetRdefs();
	124	Integer nVerb = i_access.verb ();
	125	if (nVerb == null)
	126	return;
	127
	128	Resource netResource = (Resource) i_access.getResource ();
	129	Map rdefs = netResource.GetRdefs();
83	130	for (Iterator itr = rdefs.values().iterator(); itr.hasNext(); )
84	131	{
…	…
86	133	if (rdef.GetSysResourceState (SystemResourceTypes.secmark) != SysResourceState.No)
87	134	{
88		Collection resources = ~~i_r~~esource.GetSystemResources (rdef);
	135	Collection resources = netResource.GetSystemResources (rdef);
89	136	for (Iterator itr2 = resources.iterator (); itr2.hasNext (); )
90	137	{
…	…
97	144
98	145	StringBuffer typeBuf = new StringBuffer ();
99		typeBuf.append (~~i_r~~esource.getUser ());
	146	typeBuf.append (netResource.getUser ());
100	147	typeBuf.append (':');
101		typeBuf.append (~~i_r~~esource.getRole ());
	148	typeBuf.append (netResource.getRole ());
102	149	typeBuf.append (':');
103		typeBuf.append (~~i_r~~esource.GetTypeWithDictionaryObject(rdef.GetName()));
104
105		String sSensitivtity = ~~i_r~~esource.getSensitivity ();
	150	typeBuf.append (netResource.GetTypeWithDictionaryObject(rdef.GetName()));
	151
	152	String sSensitivtity = netResource.getSensitivity ();
106	153	if (sSensitivtity.length () > 0)
107	154	{
…	…
110	157	}
111	158
112		m_netBuffer.print ("iptables -t mangle -A INPUT -j SECMARK --selctx ");
113		m_netBuffer.print (typeBuf.toString ());
114
115		if (net.getProtocol () != null)
116		m_netBuffer.print (" --protocol " + net.getProtocol ());
117		{
118		NetworkInfo netInfo = net.getLocalInfo ();
119		if (netInfo != null)
120		{
121		if (netInfo.getIPAddr () != null)
122		m_netBuffer.print (" --destination " + netInfo.getIPAddr ());
123		if (netInfo.getMask () != null)
124		m_netBuffer.print ("/" + netInfo.getMask ());
125
126		if (netInfo.getDevice () != null)
127		m_netBuffer.print (" --in-interface " + netInfo.getDevice ());
128
129		int [] ports = netInfo.getPorts ();
130		if (ports != null && ports.length > 0)
131		{
132		for (int i = 0; i < ports.length; i++)
133		m_netBuffer.print (" --destination-port " + ports[i]);
134		}
135		}
136		}
137
138		{
139		NetworkInfo netInfo = net.getRemoteInfo ();
140		if (netInfo != null)
141		{
142		if (netInfo.getIPAddr () != null)
143		m_netBuffer.print (" --source " + netInfo.getIPAddr ());
144		if (netInfo.getMask () != null)
145		m_netBuffer.print ("/" + netInfo.getMask ());
146
147		if (netInfo.getDevice () != null)
148		m_netBuffer.print (" --out-interface " + netInfo.getDevice ());
149
150		int [] ports = netInfo.getPorts ();
151		if (ports != null && ports.length > 0)
152		{
153		for (int i = 0; i < ports.length; i++)
154		m_netBuffer.print (" --source-port " + ports[i]);
155		}
156		}
157		}
	159	if (nVerb.intValue () == Verb.read \|\| nVerb.intValue () == Verb.readwrite)
	160	OutputRules (typeBuf.toString (), net.getProtocol (), net.getLocalInfo (), net.getRemoteInfo ());
	161
	162	if (nVerb.intValue () == Verb.write \|\| nVerb.intValue () == Verb.readwrite)
	163	OutputRules (typeBuf.toString (), net.getProtocol (), net.getRemoteInfo (), net.getLocalInfo ());
158	164	}
159	165	}
160	166	}
161	167	}
162
163		/* (non-Javadoc)
164		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.Domain)
165		*/
166		public void Visit (Domain i_domain)
167		{}
168
169		/* (non-Javadoc)
170		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.Enter)
171		*/
172		public void Visit (Enter i_enter)
173		{}
174
175		/* (non-Javadoc)
176		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.EntrypointResource)
177		*/
178		public void Visit (EntrypointResource point)
179		{}
180
181		/* (non-Javadoc)
182		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessBoolean)
183		*/
184		public void Visit (AccessBoolean i_access)
185		{}
186
187		/* (non-Javadoc)
188		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessBaseResource)
189		*/
190		public void Visit (AccessBaseResource i_access)
191		{}
192
193		/* (non-Javadoc)
194		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessResource)
195		*/
196		public void Visit (AccessResource i_access)
197		{}
198
199		/* (non-Javadoc)
200		* @see com.tresys.framework.compiler.policy.IPolicyVisitor#Visit(com.tresys.framework.compiler.policy.AccessNetwork)
201		*/
202		public void Visit (AccessNetwork i_access)
203		{}
	168
	169	/**
	170	* OutputRules - generate iptables rule
	171	* @param i_sType - Full SELinux type for labeling of incoming packets
	172	* @param i_sProtocol - Network protocol (UDP \|\| TCP)
	173	* @param i_source - Source network information
	174	* @param i_destination - Destination network information
	175	*/
	176	private void OutputRules (String i_sType, String i_sProtocol, NetworkInfo i_source, NetworkInfo i_destination)
	177	{
	178	m_netBuffer.print ("iptables -t mangle -A INPUT ");
	179	if (i_sType != null)
	180	{
	181	m_netBuffer.print ("-j SECMARK --selctx ");
	182	m_netBuffer.print (i_sType);
	183	}
	184
	185	if (i_sProtocol != null)
	186	m_netBuffer.print (" --protocol " + i_sProtocol);
	187
	188	if (i_source != null)
	189	{
	190	if (i_source.getIPAddr () != null)
	191	m_netBuffer.print (" --destination " + i_source.getIPAddr ());
	192	if (i_source.getMask () != null)
	193	m_netBuffer.print ("/" + i_source.getMask ());
	194
	195	if (i_source.getDevice () != null)
	196	m_netBuffer.print (" --in-interface " + i_source.getDevice ());
	197
	198	int [] ports = i_source.getPorts ();
	199	if (ports != null && ports.length > 0)
	200	{
	201	for (int i = 0; i < ports.length; i++)
	202	m_netBuffer.print (" --destination-port " + ports[i]);
	203	}
	204	}
	205	if (i_destination != null)
	206	{
	207	if (i_destination.getIPAddr () != null)
	208	m_netBuffer.print (" --source " + i_destination.getIPAddr ());
	209	if (i_destination.getMask () != null)
	210	m_netBuffer.print ("/" + i_destination.getMask ());
	211
	212	if (i_destination.getDevice () != null)
	213	m_netBuffer.print (" --out-interface " + i_destination.getDevice ());
	214
	215	int [] ports = i_destination.getPorts ();
	216	if (ports != null && ports.length > 0)
	217	{
	218	for (int i = 0; i < ports.length; i++)
	219	m_netBuffer.print (" --source-port " + ports[i]);
	220	}
	221	}
	222	m_netBuffer.println ();
	223	}
204	224
205	225	/* (non-Javadoc)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.